Karen,
You ask a very good question about banner ads.
Our intention is that all content served through HTTP
should have a P3P policy associated with it. This
includes banner ads. I think this is especially important
for ads that are served by a third-party ad network.
A P3P user agent could be designed so that when I
visit a web site, it first fetches the privacy policy that
applies to the page I request. After checking that out,
it parses the actual content, and discovers that there
is an embedded banner ad, and that it has not yet
seen the P3P policy associated with that ad. At that
point it should go into "safe mode", suppressing
referrer field, cookies, etc. and request the ad. The
ad will return a P3P header, and the P3P policy can
be fetched and checked. If the P3P policy matches
the user's preferences it can then exit safe
mode. Note, that this is just one idea of how a user
agent might work, and that some of the first P3P
user agents may not be able to handle embedded
content like this as well as we might like. I think there
are a lot of open questions about the best way to
handle notices about embedded content in the user
interface, so suggestions about the best way to do
this would be appreciated.
I hope that helps. Let us know if you have further
questions.
Regards,
Lorrie Cranor
P3P Specification Working Group Chair
----- Original Message -----
From: Karen Coyle <kcoyle@ix.netcom.com>
To: <www-p3p-public-comments@w3.org>
Sent: Friday, April 14, 2000 9:53 AM
Subject: Re: Exclude header
> At 05:11 PM 4/12/00 -0400, Lorrie Cranor wrote:
>
> Thanks for the reply, Lorrie.
>
>
> >It is important to note that a policy does not automatically apply
> >to embedded content (inline graphics, frames, etc.).
>
> I admit that I hadn't understood that from my reading of earlier versions
> of the protocol. So let me frame another question:
> - "Policy" refers to the current document (i.e. the returned .html)
> - "Prefix" and "exclude" refer to documents on directories *on that
same
> server*
>
> - therefore, "Policy" cannot apply to outside resources such as banner
> ads and their cookies.
>
> So, if all of that is right (and correct me if it isn't), then my question
> is, can the banner ad/cookie mechanism include a P3P header and policy?
>
>
> -------------------------
> Karen Coyle
> http://www.kcoyle.net
>
>